Library flaws reported within your Android SDK

Description
Our quality/security tool Veracode reported multiple flaws in the Zoom Android SDK. Could you look at the reported issue (I don’t have access to those file). Also, some might be false positive flaws.

Which Android Meeting SDK version?
zoom-sdk-android-5.7.1.1268

List. of the reported issue:

Cryptographic Issues (Use of a Broken or Risky Cryptographic Algorithm)Explanation

• us\zoom\net\X509Util.java (line 380)
• us\zoom\androidlib\utils\ZmFileUtils.java (line 666)
• com\zipow\videobox\g\UpgradeMgr.java (line 560)

Use of Hard-coded Password: Explanation

• us\zoom\sdk\ZoomSDK.java (line 1)

Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’) Explanation

• us\zoom\androidlib\app\ZMFileListActivity.java (line 220)

Best regards

Hi @nicolas.bonnet, thanks for bringing this up.

We are reviewing this with our security team and will keep you updated as soon as we are able.

Thanks!

Hi @jon.zoom
Any news regarding the issues mentioned above?

Thanks

Hi @nicolas.bonnet,

I have not heard any updates from our security on this yet. I’ll follow up with them and keep you posted.

Thanks!

Hi @nicolas.bonnet,

Looking at our Vulnerability Disclosure Policy, it seems that we ask that potential security issues or concerns be reported directly to our Security Team using our HackerOne form or by emailing them directly at security@zoom.us.

Thanks for thinking of Zoom Security! Hope you get a bounty!